CN114422235B - P4-based industrial internet hidden attack defense method - Google Patents
P4-based industrial internet hidden attack defense method Download PDFInfo
- Publication number
- CN114422235B CN114422235B CN202210052777.7A CN202210052777A CN114422235B CN 114422235 B CN114422235 B CN 114422235B CN 202210052777 A CN202210052777 A CN 202210052777A CN 114422235 B CN114422235 B CN 114422235B
- Authority
- CN
- China
- Prior art keywords
- attack
- grained
- control system
- detection
- fine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 230000007123 defense Effects 0.000 title claims abstract description 16
- 238000001514 detection method Methods 0.000 claims abstract description 48
- 239000011362 coarse particle Substances 0.000 claims abstract description 5
- 239000010419 fine particle Substances 0.000 claims abstract description 5
- 230000000116 mitigating effect Effects 0.000 claims description 12
- 239000011159 matrix material Substances 0.000 claims description 4
- 230000003993 interaction Effects 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 230000008859 change Effects 0.000 claims description 2
- 230000009849 deactivation Effects 0.000 claims 1
- 238000011084 recovery Methods 0.000 abstract description 9
- 230000002265 prevention Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000011217 control strategy Methods 0.000 description 3
- YHXISWVBGDMDLQ-UHFFFAOYSA-N moclobemide Chemical compound C1=CC(Cl)=CC=C1C(=O)NCCN1CCOCC1 YHXISWVBGDMDLQ-UHFFFAOYSA-N 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000001932 seasonal effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/04—Manufacturing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- General Health & Medical Sciences (AREA)
- General Business, Economics & Management (AREA)
- Economics (AREA)
- Health & Medical Sciences (AREA)
- Manufacturing & Machinery (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a P4-based industrial internet hidden attack defense method, which is under the framework of a bottom physical system, a control system and a programmable switch arranged at the edge of the physical system and the control system; an encryption algorithm and a decryption algorithm are deployed on the programmable switch; and performing coarse and fine particle attack detection by cooperation of the control system and the programmable switch. The attack detection is carried out through the cooperation of the control system and the programmable switch, so that the attack effective prevention, the high-efficiency detection and the quick release recovery are realized.
Description
Technical Field
The invention relates to the field of industrial internet and network security, in particular to a P4-based hidden attack defense method for industrial internet.
Background
As the application range of the industrial internet is continuously expanded, the industrial internet and industrial data are increasingly becoming key targets of hacking. Traditional industrial internet attacks such as replay attack, spoofing attack, zero-dynamics attack and the like need to be fully known to an attacker, and the attack cost is high. And RPDA (Robust polar-dynamic Attack) is taken as a typical hidden Attack, so that the Attack cost is greatly reduced, and the serious Attack and defense asymmetric situation is caused. When the accurate model and specific parameters of the target system are uncertain, only certain easily-leaked data (such as control input data, sensor output data and the like) need to be stolen, attack data are constructed according to unstable dynamics of the physical system and are injected into an industrial control network, so that the regulation and control effect of a feedback controller on the physical system is prevented, equipment such as an actuator and a sensor of the physical system is attacked, and the whole industrial internet system is finally damaged.
Through analysis of industrial network flow, the characteristics of the industrial network flow are greatly different from those of a common IT network, the flow distribution of the industrial network flow is regular as a whole, the time interval of a data packet does not comply with Poisson distribution or heavy tail distribution, the industrial network flow is periodic on a small time scale, the self-similar characteristics are not represented, and the industrial network flow is stable on a large time scale. Therefore, an ARIMA product seasonal model is introduced to predict the industrial internet flow time sequence.
At present, an effective prevention, detection and attack mitigation mechanism is still lacked for industrial internet hidden attack. Its covert nature makes it difficult to detect effectively; the design of an attack prevention mechanism is limited by massive operation load of the industrial internet; meanwhile, due to the high complexity of the industrial-level network, the real-time performance of attack mitigation recovery cannot be guaranteed.
Disclosure of Invention
In view of this, the invention aims to provide a P4-based industrial internet covert attack defense method, which can effectively prevent attacks, efficiently detect attacks and quickly relieve and recover attacks.
In order to achieve the purpose, the invention adopts the following technical scheme:
a defense method of industrial internet hidden attack based on P4 is provided under the architecture of a bottom physical system, a control system and a programmable switch deployed at the edge of the physical system and the control system; an encryption algorithm and a decryption algorithm are deployed on the programmable switch; performing coarse and fine particle attack detection through cooperation of a control system and a programmable switchboard; attack detection is carried out through cooperation of the control system and the programmable switch, so that effective attack prevention, efficient detection and rapid relief recovery are realized.
Furthermore, the bottom layer physical system comprises a sensor, an actuator and a physical system controller, the sensor and the external environment interactively acquire target data, the actuator executes a command issued by the control system through sending a data packet, and the physical system controller controls the state update of the sensor network so as to ensure the stability of the bottom layer of the system.
Further, the control system comprises a state estimator, a fine-grained attack detector, an SDN controller and a plurality of amplitude devices; the state estimator regulates and controls the physical system, calculates to obtain a state estimation matrix of the physical system at the next moment based on the output data of the sensor, and cooperates with the amplitude device and the adder to obtain a control input matrix; the fine-grained attack detector is responsible for fine attack detection and final strategy judgment, interacts with the state estimator information when receiving a detection request of the coarse-grained attack detector, and performs detection and strategy judgment according to a built-in algorithm to realize high-precision detection and accurate mitigation; the SDN controller is responsible for issuing strategies to corresponding programmable switches; the amplitude device is used for displaying real-time signal changes.
Furthermore, a plurality of sets of encryption and decryption algorithms are arranged in the programmable switch, different algorithms are applied to different types of data packets, and meanwhile, an identification bit is additionally arranged at the first position of the data packet data and used for identifying the algorithm according to which the data packet is encrypted and decrypted.
An industrial internet hidden attack defense method based on P4 comprises the following steps
Step S1: predicting according to the correlation between the industrial internet flow time sequence value and the sequence values of the first N periods at the same time and the sequence values of the first N periods at different times;
s2, capturing a corresponding data packet flow time sequence after data flow, sampling the data flow time sequence to a controller by the programmable switch in real time, predicting the flow time sequence in a plurality of periods in the future by utilizing an ARIMA product seasonal model deployed in a control system, and deploying the flow time sequence to the programmable switch;
and S3, comparing the predicted value with the real value by the programmable switch to perform coarse granularity detection, preliminarily detecting whether the industrial Internet is attacked, if the difference between the real value and the predicted value exceeds a certain threshold value, judging that the industrial Internet is attacked, but at this stage, whether the attack is hidden attack cannot be determined, and updating a control strategy according to a detection result after the detection is finished.
Further, the control strategy includes normal forwarding, discarding the corresponding data packet, disabling the corresponding port, and sending a fine-grained detection request.
Further, if the coarse-grained detector in the programmable switch detects an attack, the corresponding data packet is directly discarded or the corresponding port is stopped at the switch, real-time attack mitigation is realized, a fine-grained detection request is sent to a fine-grained attack detector in a control system, whether the attack is a hidden attack is further detected, when the detection request of the coarse-grained detector is received, the fine-grained attack detector and a state estimator carry out information interaction, the state estimator sends the estimated physical system state to the fine-grained attack detector, and then the fine-grained detector adopts double abnormal detectors to carry out detection and strategy arbitration, so that high-precision detection and accurate mitigation are realized; and if the coarse-grained detector in the programmable switch detects that the attack cannot be judged whether the attack is attacked or not, reporting the attack to the control system, issuing a strategy to the switch by an SDN controller in the control system, and adjusting a port or a flow table of the corresponding switch to realize accurate mitigation.
Further, after the attack is detected, the sensor output is further obtained from the physical system again, specifically as follows: when an attack is detected, information of a malicious data packet is sent to a special SDN controller, the SDN controller receives data, constructs a simple data packet, discards an attacked link, quickly selects a second optimal path at an attacked node by using a Dijkstra algorithm, sends the second optimal path to a physical system, and re-routes data packets sent by a sensor subsequently.
Compared with the prior art, the invention has the following beneficial effects:
1. the method integrates attack prevention, detection, relief and recovery, and realizes effective defense against hidden attack of the industrial Internet;
2. according to the invention, the defense is low in cost and high in precision through software and hardware cooperative design and 'cloud control system-switch' cooperative design.
Drawings
FIG. 1 is a schematic block diagram of the present invention
FIG. 2 is a schematic diagram of the architecture of the present invention;
FIG. 3 is a schematic internal diagram of a programmable switch in accordance with one embodiment of the present invention;
FIG. 4 is a block diagram of a control system according to an embodiment of the present invention.
Detailed Description
The invention is further explained below with reference to the drawings and the embodiments.
Referring to fig. 2, the invention provides a P4-based industrial internet covert attack defense method, which is under the architecture of a bottom physical system, a control system and a programmable switch deployed at the edge of the physical system and the control system; an encryption algorithm and a decryption algorithm are deployed on the programmable switch; performing coarse and fine particle size attack detection through cooperation of a control system and a programmable switch; attack detection is carried out through cooperation of the control system and the programmable switch, so that effective attack prevention, efficient detection and rapid relief recovery are realized.
In this embodiment, the bottom physical system is mainly composed of a sensor, an actuator, and a physical system controller. The sensor and the external environment interactively acquire target data, the actuator executes a command issued by the control system through a sending data packet, and the physical system controller controls the state update of the sensor network so as to ensure the stability of the system bottom layer. Covert attacks rely on the dynamics of physical systems that are unstable and naturally divergent, i.e., the existence of unstable, naturally divergent parts in the physical system, such as control input data, sensor output data, etc., in an industrial control network, which are susceptible to leakage during the process by transmission over the network
) And constructing attack data, injecting the attack data into the industrial control network, and injecting the attack into the industrial control network through regulating and controlling the bottom-layer physical system by the interference control system. In view of the workerThe industrial internet control system needs to bear massive operation and cannot tolerate the extra overhead brought by an encryption mechanism.
In this embodiment, programmable switches are deployed at the edges of the data transmission layer, i.e., the edges of the physical system and the control system, and encryption algorithms and decryption algorithms are deployed on the programmable switches. The encryption algorithm is implemented by algorithm 1, which is designed on the basis of the kaiser algorithm. The programmable exchanger inputs data packets and the length thereof, the P4 exchanger firstly carries out packet analysis on the data packets on a Parser (Parser), converts grouped data into metadata, and then converts the metadata (usually a group of numbers representing the state of a physical system) bit by bit through an algorithm 1 to form a messy code. The decryption algorithm is the inverse process of the encryption algorithm, and original numbers are restored. When outputting, the P4 switch converts the metadata into packet data again through a reverse parser (decaparser) and outputs the packet data. In order to enhance data encryption and prevent attacks, a plurality of sets of encryption and decryption algorithms can be set in the switch, different algorithms are applied to different types of data packets, and meanwhile, an identification bit is additionally arranged at the first bit of data packet data and used for identifying the algorithm according to which the data packet is encrypted and decrypted. The data packet is sent by the control system, when the data packet passes through the edge programmable switch, whether the data packet is the data to be encrypted is judged through the packet filter, if the data packet is the data to be encrypted, the data packet is encrypted through an algorithm, the data packet is forwarded after encryption is finished, finally the data packet is decrypted through the edge switch before being sent to the bottom physical system, and the original data packet is sent to the bottom physical system.
In this embodiment, the control system and the programmable switch cooperate to perform coarse and fine particle size attack detection: high delays are introduced by the detection at the control system, and the invention offloads part of the detection algorithm to the programmable network. P4 is concentrated on the programmable data plane, can self-define the processing mode of the chip to the data packet, add the new function of self-definition, new agreement, or optimize the original protocol stack, distribute the resource on the slice more rationally, the invention carries on the real-time detection of the data packet in P4 programmable exchanger, guarantee the low delay. Considering the influence of the inherent limit of the programmable exchanger on the detection precision, the invention cooperatively carries out the coarse and fine granularity attack detection through the control system and the programmable exchanger, thereby ensuring the high precision and the high efficiency of the detection. The switches in a programmable network are shown in figure 2.
Predicting according to the correlation between the industrial internet flow time sequence value and the same time sequence value of the previous periods and the sequence value of different times of the same period, capturing the corresponding data packet flow time sequence after data flows in, sampling the data flow time sequence to the controller in real time by the exchanger, predicting the flow time sequence in a plurality of periods in the future by utilizing an ARIMA product seasonal model deployed in a control center and deploying the flow time sequence to the programmable exchanger, comparing the predicted value with the real value by the exchanger to detect coarse granularity, preliminarily detecting whether the industrial internet is attacked, namely judging whether the attack is attacked if the difference between the real value and the predicted value exceeds a certain threshold value, but not determining whether the attack is a hidden attack at the stage, updating a control strategy (normally forwarding, discarding the corresponding data packet, stopping using the corresponding port and sending a fine granularity detection request) according to a detection result after the detection is finished, and realizing the attack detection and the mitigation of low time delay. The coarse grain detection critical section P4 code is given below.
In this embodiment, if the programmable switch detects an attack, a fine-grained detection request is sent to a fine-grained attack detector in the control system, so as to further detect whether the attack is a hidden attack. When receiving a detection request of the coarse-grained detector, the fine-grained attack detector and the state estimator carry out information interaction, the state estimator sends the estimated physical system state to the fine-grained attack detector, and the fine-grained detector adopts a common double-anomaly detector to carry out detection and strategy arbitration, so that high-precision detection and accurate mitigation are realized. The SDN controller is responsible for issuing policies to the respective programmable switches. The amplitude meter is used for displaying real-time signal change.
In this embodiment, the attack mitigation recovery specifically includes: the method comprises the following steps of firstly using a programmable SDN switch to relieve coarse-grained attack, directly discarding a corresponding data packet or stopping a corresponding port at the switch when a coarse-grained detector of the switch detects the attack, realizing real-time attack relief, reporting to a control system if the attack cannot be judged, receiving a strategy issued by an SDN controller in the control system by the switch, managing switch ports or a flow table according to the strategy, and realizing accurate relief, wherein the method specifically comprises the following steps:
an attacker invades any link in the network and initiates an attack, and the SDN controller receives an attack signal from the switch and enables an attack link positioning algorithm to quickly and accurately position the attacked link. The attack link positioning algorithm (algorithm 2) accurately judges which link is attacked by comparing the information conditions received by the links.
The attack recovery mainly refers to a process of detecting an attack and then acquiring a sensor output from a physical system again, a data packet fast retransmission mechanism is adopted to reduce hidden attack recovery time delay, namely when the attack is detected, information (a source and destination IP port) of a malicious data packet is sent to a special SDN controller, the SDN controller receives data, constructs a simple data packet, discards an attacked link, and uses a Dijkstra algorithm to quickly select a second optimal path at an attacked node to send the second optimal path to the physical system, and reroutes the data packet sent by the sensor subsequently. Thereby realizing the attack recovery process with low time delay.
The above description is only a preferred embodiment of the present invention, and all the equivalent changes and modifications made according to the claims of the present invention should be covered by the present invention.
Claims (4)
1. A P4-based industrial Internet covert attack defense method is characterized by comprising a bottom physical system, a control system and a programmable switch which is deployed at the edges of the physical system and the control system; an encryption algorithm and a decryption algorithm are deployed on the programmable switch; performing coarse and fine particle size attack detection through cooperation of a control system and a programmable switch;
the control system comprises a state estimator, a fine-grained attack detector, an SDN controller and a plurality of amplitude devices; the state estimator regulates and controls the physical system, calculates to obtain a state estimation matrix of the physical system at the next moment based on the output data of the sensor, and cooperates with the amplitude transformer and the adder to obtain a control input matrix; the fine-grained attack detector is responsible for fine attack detection and final strategy judgment, interacts with the state estimator information when receiving a detection request of the coarse-grained attack detector, and carries out detection and strategy judgment according to a built-in algorithm so as to realize high-precision detection and attack defense; the SDN controller is responsible for issuing strategies to corresponding programmable switches; the amplitude device is used for displaying real-time signal change;
the strategy comprises normal forwarding, discarding of corresponding data packets, deactivation of corresponding ports and sending of fine-grained detection requests;
when an attack is detected, the control system automatically acquires sensor output from the physical system again, information of a malicious data packet is sent to a special SDN controller, the SDN controller receives data, constructs a simple data packet, discards an attacked link, quickly selects a second optimal path at an attacked node by using a Dijkstra algorithm, sends the second optimal path to the physical system, and re-routes data packets sent by the sensor subsequently.
2. The P4-based industrial internet covert attack defense method according to claim 1, characterized in that: the bottom layer physical system comprises a sensor, an actuator and a physical system controller, the sensor and the external environment interactively acquire target data, the actuator executes a command issued by the control system through sending a data packet, and the physical system controller controls the state updating of the sensor network so as to ensure the stability of the bottom layer of the system.
3. The P4-based industrial internet covert attack defense method according to claim 1, characterized in that: the programmable switch is internally provided with a plurality of sets of encryption and decryption algorithms, different algorithms are applied to different types of data packets, and meanwhile, an identification bit is additionally arranged at the first bit of the data packet data and is used for identifying the data packet to carry out encryption and decryption according to the corresponding algorithm.
4. The P4-based industrial internet covert attack defense method according to claim 1, characterized in that: if the attack is detected by the coarse-grained detector in the programmable switch, the corresponding data packet is directly discarded or the corresponding port is stopped using the switch, real-time attack mitigation is realized, a fine-grained detection request is sent to the fine-grained attack detector in the control system, whether the attack is a hidden attack or not is further detected, when the detection request of the coarse-grained detector is received, the fine-grained attack detector and the state estimator carry out information interaction, the state estimator sends the estimated physical system state to the fine-grained attack detector, and then the fine-grained detector adopts double abnormal detectors to carry out detection and strategy arbitration, so that high-precision detection and accurate mitigation are realized; and if the coarse-grained detector in the programmable switch detects that the attack cannot be judged whether the attack is attacked or not, reporting the attack to the control system, issuing a strategy to the switch by an SDN controller in the control system, and adjusting a port or a flow table of the corresponding switch to realize accurate mitigation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210052777.7A CN114422235B (en) | 2022-01-18 | 2022-01-18 | P4-based industrial internet hidden attack defense method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210052777.7A CN114422235B (en) | 2022-01-18 | 2022-01-18 | P4-based industrial internet hidden attack defense method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114422235A CN114422235A (en) | 2022-04-29 |
| CN114422235B true CN114422235B (en) | 2023-03-24 |
Family
ID=81274109
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210052777.7A Active CN114422235B (en) | 2022-01-18 | 2022-01-18 | P4-based industrial internet hidden attack defense method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422235B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115834459B (en) * | 2022-10-10 | 2024-03-26 | 大连海事大学 | Dynamic cleaning system and method for link flooding attack flow |
| CN115664740B (en) * | 2022-10-17 | 2024-07-23 | 济南大学 | Data packet forwarding attack defense method and system based on programmable data plane |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107959690A (en) * | 2018-01-16 | 2018-04-24 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative defense method based on software defined network |
| CN111614627A (en) * | 2020-04-27 | 2020-09-01 | 中国舰船研究设计中心 | SDN-oriented cross-plane cooperation DDOS detection and defense method and system |
| CN112202645A (en) * | 2020-11-12 | 2021-01-08 | 福州大学 | Measuring system based on mimicry defense and Sketch algorithm and abnormal flow detection method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018141432A1 (en) * | 2017-01-31 | 2018-08-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and attack detection function for detection of a distributed attack in a wireless network |
| US11558423B2 (en) * | 2019-09-27 | 2023-01-17 | Stealthpath, Inc. | Methods for zero trust security with high quality of service |
| CN113630420A (en) * | 2021-08-17 | 2021-11-09 | 昆明理工大学 | SDN-based DDoS attack detection method |
-
2022
- 2022-01-18 CN CN202210052777.7A patent/CN114422235B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107959690A (en) * | 2018-01-16 | 2018-04-24 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative defense method based on software defined network |
| CN111614627A (en) * | 2020-04-27 | 2020-09-01 | 中国舰船研究设计中心 | SDN-oriented cross-plane cooperation DDOS detection and defense method and system |
| CN112202645A (en) * | 2020-11-12 | 2021-01-08 | 福州大学 | Measuring system based on mimicry defense and Sketch algorithm and abnormal flow detection method |
Non-Patent Citations (2)
| Title |
|---|
| Detecting and Mitigating Target Link-Flooding Attacks Using SDN;Juan Wang etal.;《IEEE Transactions on Dependable and Secure Computing 》;20180402;全文 * |
| 基于OpenFlow的SDN网络环境下DDoS攻击检测系统;安颖等;《东南大学学报(自然科学版)》;20171120;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114422235A (en) | 2022-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114422235B (en) | P4-based industrial internet hidden attack defense method | |
| US10681079B2 (en) | Method for mitigation of cyber attacks on industrial control systems | |
| Dao et al. | Securing heterogeneous IoT with intelligent DDoS attack behavior learning | |
| Wang et al. | SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking | |
| Chi et al. | How to detect a compromised SDN switch | |
| US20180109557A1 (en) | SOFTWARE DEFINED NETWORK CAPABLE OF DETECTING DDoS ATTACKS USING ARTIFICIAL INTELLIGENCE AND CONTROLLER INCLUDED IN THE SAME | |
| Cheng et al. | Machine learning based low-rate DDoS attack detection for SDN enabled IoT networks | |
| CN106487790B (en) | Cleaning method and system for ACK FLOOD attacks | |
| CN106375157A (en) | Phase-space-reconstruction-based network flow correlation method | |
| Zheng | Research on SDN-based IoT security architecture model | |
| Siregar et al. | Intrusion prevention system against denial of service attacks using genetic algorithm | |
| Karnani et al. | A comprehensive survey on low-rate and high-rate DDoS defense approaches in SDN: taxonomy, research challenges, and opportunities | |
| Thorat et al. | SDN-based machine learning powered alarm manager for mitigating the traffic spikes at the IoT gateways | |
| Chai et al. | A study of security threat for Internet of Things in smart factory | |
| Rai et al. | Distributed DoS attack detection and mitigation in software defined network (SDN) | |
| Ponomarev et al. | Session duration based feature extraction for network intrusion detection in control system networks | |
| Hyder et al. | Closed-loop ddos mitigation system in software defined networks | |
| Revathi et al. | RMCARTAM For DDoS Attack Mitigation in SDN Using Machine Learning. | |
| Atkison et al. | Feature Extraction Optimization for Network Intrusion Detection in Control System Networks. | |
| Hasan et al. | Self-healing cyber resilient framework for software defined networking-enabled energy delivery system | |
| Pashkov et al. | Protection of the Control Plane from DDoS Attacks in Software-Defined Networks | |
| Sinha et al. | Distributed Denial of Service Attack Detection and Prevention in Local Area Network | |
| Thang et al. | Synflood spoofed source DDoS attack defense based on packet ID anomaly detection with bloom filter | |
| Khajuria et al. | Analysis of the ddos defense strategies in cloud computing | |
| Munir et al. | Detection and Mitigation of Distributed Denial of Service Attacks on Network Architecture Software Defined Networking Using the Naive Bayes Algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |